Add missing PostHog and analytics collector secrets to AWS provider

[ya-luotao]

Summary

• Add posthog-api-key secret to AWS Secrets Manager (matches GCP's posthog-api-key)
• Add analytics-collector secret with HOST and API_TOKEN fields (matches GCP's analytics-collector-host and analytics-collector-api-token)
• Wire posthog_api_key, analytics_collector_host, and analytics_collector_api_token through to the job-api module
• All secrets default to placeholder values and use ignore_changes lifecycle, matching existing AWS secrets pattern

Test plan

• terraform plan shows 3 new secrets (posthog-api-key, analytics-collector) and updated API job template
• With placeholder values, API service starts normally (empty strings are handled gracefully)
• When secrets are populated in AWS Secrets Manager, API correctly reads PostHog and analytics config

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 13bcb8ba63

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Trim whitespace secret defaults before forwarding to Nomad

The new AWS wiring forwards module.init.posthog_api_key and module.init.analytics_collector.* directly, but these secrets are initialized to a single space (" ") in iac/provider-aws/init/secrets.tf and are never trimspaced on this path. In fresh environments (or any environment still using placeholders), API receives whitespace-only values instead of empty strings, so empty-config guards won’t behave like the GCP path (which trims) and integrations may be treated as configured with invalid credentials/host values.

Useful? React with 👍 / 👎.